Question of the Day

Whose side of the story do you believe?

Story TOpics

Internal Revenue Service Commissioner John Koskinen insisted that his agency was secure even after a Government Accountability Office report pointed out holes in the IRS’ cybersecurity. (Associated Press) more >

The IRS’s computers remain vulnerable to hackers, the government’s top auditor said Monday, saying changes were still needed months after the agency suffered a breach that saw hundreds of thousands of taxpayers’ most sensitive information stolen.

Passwords to key agency systems “could be easily guessed,” and investigators from the Government Accountability Office found the IRS didn’t require regular password changes — an important part of modern cybersecurity.

The tax agency also failed to load the latest security patches, ran obsolete software on systems, and granted some employees access — both physical and electronic — to systems they didn’t need to do their jobs.

And while the IRS had guidelines on maintaining and updating security procedures, the agency sometimes didn’t follow its own procedures, GAO investigators said.

“These deficiencies are the basis of our determination that IRS had a significant deficiency in internal control over financial reporting in its information security in fiscal year 2015,” investigators concluded in their public report.

The GAO produced another restricted version of the report, which detailed 43 specific recommendations. That report isn’t public because investigators didn’t want to publicly detail the vulnerabilities they found.

IRS Commissioner John A. Koskinen insisted his agency’s systems are sound, but said he was happy investigators provided so much detail, because it gives his agency a chance to fix problems. He said previous audits were light on those details.

Mr. Koskinen did not say what steps his agency will take to fix the problems the GAO identified, but signaled whatever they do will likely be limited because he doesn’t think his agency has enough money.

“While we agree with GAO’s recommendations, we will review them to ensure that our actions include sustainable fixes that implement appropriate security controls balanced against agency information technology and human capital resource limitations,” he said in his official response to the GAO.

He promised a full update to Congress within two months on what the IRS will be able to do.

The IRS, like other government agencies, has been plagued by cyberattacks.

In the worst one, the agency admitted that hackers gained access to more than 720,000 taxpayer accounts, including Social Security numbers, birth dates and other sensitive information that can be used to perpetrate even more online fraud.

Hackers used information they’d already gleaned on taxpayers to access their files at the IRS over a 16-month period beginning in early 2014. The hack wasn’t discovered until the 2015 filing season.

That hack relied on what’s known as knowledge-based authentication. If a hacker can figure out the answers to personal questions, he or she can impersonate the taxpayer, stealing even more information.

The GAO said the IRS took some steps to improve its security, including moving to what’s known as multifactor authentication. But audits have found the agency hasn’t fully implemented it yet.